Calvyan
Request a Pilot
Approach

Risk is a landscape. We made it legible.

Calvyan is built on a simple, research-grounded claim: incidents are downstream of conditions. Measure the conditions well, render them honestly, and a leader can act while the cost is still small.

The premise

Every incident has a backstory written in conditions — friction that bred a workaround, hesitation that delayed a report, load that dulled a defense.

For thirty years, security has invested almost everything in the technical layer — systems, controls, detections — and far less in measuring the human and organizational layer those controls depend on. The result is a field that can tell you precisely which control failed, and much less about why.

Calvyan treats that organizational layer as a first-class, measurable system. Not soft. Not unknowable. A terrain with shape, slope and history — one you can survey, benchmark, and change on purpose.

Two layers of risk
TECHNICAL LAYERSystems · Controls · Detections · AlertsWELL-INSTRUMENTED · 30 YEARS OF INVESTMENTVISIBILITY GAPORGANIZATIONAL LAYERCulture · Load · Friction · Alignment · ReportingUNDERMEASURED · WHERE OUTCOMES ARE SHAPEDCALVYAN MEASURES HERE ↑
How we measure

Three sources, triangulated into one honest score.

A — Perception

How conditions feel

Short, role-aware pulse instruments capture lived experience — the friction, safety and load people actually carry, sampled often enough to show movement.

B — Behavior

How conditions show

De-identified telemetry from systems you already run — change discipline, reporting latency, access patterns — grounds perception in observed behavior.

C — Structure

How conditions are set

The fixed architecture — ownership, incentives, reporting lines — that quietly bounds how high or low a condition can sit in the first place.

Triangulation ModelThree sources → one score
PERCEPTIONHow it feelsBEHAVIORHow it showsSTRUCTUREHow it's setCONDITION SCORE72/ 100TRIANGULATED WHERE THEY AGREE · FLAGGED WHERE THEY DON'T

Each condition is scored where these three agree, and flagged where they don't — because a gap between how a condition feels and how it behaves is itself a signal worth reading.

The seven conditions.

See them as terrain →
01
Policy Friction

How much the operating model slows the business — and how often people route around it.

02
Risk Reporting

Whether concerns surface early and honestly, or arrive late and filtered.

03
Cognitive Load

The weight of alerts, tools and context-switching on the people defending you.

04
Behavioral Signals

Everyday security behaviors — hygiene, phishing response, change discipline — in aggregate.

05
Psychological Safety

How safe people feel raising bad news and challenging decisions before they cost.

06
Security Culture

How widely ownership of risk is shared beyond the security team itself.

07
Leadership Alignment

Whether executive and security priorities point the same way — in budget, not words.

Seven conditions, chosen because each is measurable, movable, and load-bearing for the others.

Principles

What we hold to.

Conditions, not people

We measure the system, not the individual. Everything is aggregated and de-identified by design — surveillance is the opposite of what we do.

Honest over flattering

A score that always reads green is worthless. We surface the elevated conditions plainly, even — especially — when they're uncomfortable.

Built to be acted on

A measurement that doesn't change a decision is a vanity metric. Every condition ends in a move someone can own.

Read the conditions. Change the outcome.

See the approach applied to your own organization — one unit, thirty minutes, real terrain.

Request a PilotSee the product →